Policy: Data Classification and Protection

Summary

The purpose of this policy is to establish a data classification scheme and set of protocols to ensure that Massasoit Community College remains in compliance with pertinent federal and Massachusetts state laws; to protect Massasoit students, faculty, and staff from unauthorized disclosure of confidential information; and to protect the College and its employees from financial and reputational harm.

Body

DATA PROTECTION

Educational institutions generate, handle, and store large amounts of data, including student, employee, educational, research, and financial data. These data need to be protected from “corruption, misapplication, compromise, misuse, and loss.” Data protection focuses on “how to apply the three critical information security imperatives: confidentiality, integrity, and availability” (EDUCAUSE Center for Analysis and Research, Data Protection Primer for Higher Education, ECAR Working Group Paper, June 20, 2016).

 

PURPOSE

The purpose of this policy is to establish a data classification scheme and set of protocols to ensure that Massasoit Community College remains in compliance with pertinent federal and Massachusetts state laws; to protect Massasoit students, faculty, and staff from unauthorized disclosure of confidential information; and to protect the College and its employees from financial and reputational harm.

 

SCOPE

This policy applies to all college employees, contractors, and individuals who have access to MCC data and information.  Data protected under this policy can reside on or in a variety of media (e.g., electronic files, paper documents, shred bins, physical servers, virtual servers, databases, file servers, personal computers, USB drives, and mobile devices) and can move through a variety of methods (human, network, wireless, etc.).

 

POLICY

All Massasoit employees and affiliated individuals with access to non-public data and information that are produced, stored, or managed by the College will be informed of the data security classification levels outlined in this document (page 2) and must adhere to the specific protocols established for each classification level (pages 3-4).

 

TRAINING

The effectiveness of this policy depends upon increasing awareness of information security responsibilities. Informational materials will be distributed to all current employees, and all new employees will be provided with policy information during their onboarding.  Specific objectives include ensuring that Massasoit employees and affiliates:

  • Are aware of the need to protect data and information in accordance with federal and state laws.
  • Are informed of the data classification scheme and understand the different security measures required for each classification level.
  • Are knowledgeable about the College’s information security policies and practices.
  • Clearly understand their responsibilities for protecting non-public data and information.

ENFORCEMENT

Any employee found to have violated, intentionally or unintentionally, this policy may be subject to disciplinary action, up to and including termination of employment.

 

DATA CLASSIFICATION

Data classification, in the context of information security, is the classification of data based on their level of sensitivity and the impact on the College should that data be disclosed, altered, or destroyed without authorization. Classification of data aids in determining baseline security controls for the  protection of the data.  This policy hereby formalizes the classification of all institutional data into one of four sensitivity levels (tiers), or classifications:

 

Classification

Examples

Access

Security

Tier 1: Restricted Data

 

Data whose access is restricted by law or non-disclosure agreements. Restricted data are specific types of confidential data requiring an extra level of security.

  • Social Security numbers
  • Credit Card numbers
  • Student grades
  • Employee or student medical information
  • Proprietary information shared by a 3rd party under a non-disclosure agreement

*See “Types of Restricted Data” in the next section.

Limited to individuals in roles requiring access for fulfillment of professional responsibilities, and who have been authorized access by the area VP.

Highest

 

See section on “Storage and Handling of Restricted Data.”

Tier 2: Confidential Data

 

Data whose unauthorized disclosure could constitute an invasion of privacy, or cause financial loss or damage to the college’s reputation and the loss of community confidence

  • Student information that is not an official part of the record covered by FERPA
  • Employee personnel files
  • Performance evaluations
  • Student evaluation forms
  • Budget data

Limited to individuals in roles requiring access for fulfillment of professional responsibilities, and who have been authorized access by a manager at or above Director level.

High

 

Store in a secure server or locked file cabinet.

Share files with authorized users via authorized file sharing applications.

Do not email unless encrypted.

Tier 3: Internal/Private Data

 

Data whose unauthorized disclosure, alteration or destruction could result in a moderate risk to the college and its affiliates.

 

  • Information contained in Massasoit’s internal portal
  • Students’ academic work
  • Faculty academic work
  • MCC statistics and performance metrics
  • Student survey data
  • Any information that has not been explicitly classified as either public, confidential, or restricted

 

Limited to the Massasoit community on a “need to know basis.” Access is granted by the data owner/manager.

 

Students, as owners of their academic work, must grant access before faculty or others may use it for purposes other than assessing student learning in a course.

 

Access may be extended to community groups by permission settings on authorized file sharing applications.

Moderate

 

Apply professional judgment on a case-by-case basis regarding data storage and transmission.

Tier 4: Public Data

 

Data that is accessible to the public by law, or whose disclosure presents little or no risk to the College and its affiliates.

 

 

  • Information contained on Massasoit’s public website
  • Data reported to, and made public by, the U.S. Department of Education (IPEDS, etc.) and MA Department of Higher Education

 

Access is unrestricted; Data and information are available to the public.

Low

 

No security to access, but precautions taken to protect the integrity of the data.

 

 

TYPES OF RESTRICTED DATA

“Restricted data” are defined as ‘any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transmission.’  Restricted data include, but is not necessarily limited to:

  • Personally Identifiable Information (PII) – Described below
  • Private Educational Records protected under FERPA – Described below
  • Payment Card Information (PCI) – Described below
  • Electronic Protected Health Information (ePHI) protected by Federal HIPAA legislation or Massachusetts medical privacy laws
  • Information whose confidentiality is legally protected by a contract or non-disclosure agreement
  • Other information whose unauthorized access or disclosure could have a high degree of adverse effect on individuals or the College

 

Personally Identifiable Information (PII)

Protected under state law – MA 201 CMR 17.00

Unencrypted electronic information that includes an individual’s first name or first initial and last name, in combination with any one or more of the following:

  • Social security number
  • Driver’s license or state-issued ID number (does not include a Massasoit ID or V#)
  • Financial account number, credit card number, or debit card number with or without any security code, access code, or password

 

Payment Card Information (PCI)

Per widely accepted Data Security Standards (PCI DSS) issued by the Payment Card Industry Security Standards Council

Credit card account number with any of the following:

  • Cardholder name
  • Service code
  • Expiration date

 

Private Educational Record

Protected under federal law - FERPA

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law protecting the privacy of student records.  An ‘education record’ is any record maintained by the College or its employees in which a student can be personally identified. FERPA applies to any and all student data unless specifically exempted as ‘directory information’ that may be made public unless a student requests that it remain confidential.  (The allowable directory exemptions are listed in the Massasoit Student Handbook.) 

 

Examples of student data restricted by FERPA.

Unencrypted electronic information that includes an individual’s name, student ID or any other personal identifier, in combination with any one or more of the following:

  • Address
  • Birth date
  • Gender
  • Citizenship
  • Marital status
  • Disciplinary status
  • Financial aid, tuition, payments, account balances
  • Grades, exam scores, or GPA
  • Applications and admissions information
  • Evaluations, forms, memos, or correspondence to and about the student

 

STORAGE AND HANDLING OF RESTRICTED DATA

For each restricted data type, the data handling requirements and restrictions are defined to appropriately safeguard the information. Authorization to access restricted data will be based on an employee’s position and job responsibilities and granted by the area Vice President, in consultation with the Chief Information Officer and Associate Dean of Institutional Research. All employees must adhere to the following requirements and restrictions regarding the storage and handling of unencrypted restricted data

 

Technologies Used

PCI/

HIPAA

PII

FERPA

On-premises storage device (MCC network shared drive)

No

Yes – With access limited to authorized persons only

Yes – With access limited to authorized persons only

Authorized cloud storage provider

(Massasoit OneDrive

Google Drive)

No

Yes – With access limited to authorized persons only

Yes – With access limited to authorized persons only

Workstation   (on-campus college owned and managed computer)

No

Data on server should not be stored on workstation hard drive/internal memory except in rare cases, and only with authorization.

Data on server should not be stored on workstation hard drive/internal memory except in rare cases, and only with authorization.

Copying/printing

No

Should only be printed for legitimate need.  Print should not be left unattended on a

printer/fax or in a public area.

Must be sent via

confidential envelope.

 

Should only be printed for legitimate need. Print should not be left unattended on a

printer/fax or in a public area.

Must be sent via

confidential envelope.

 

Mobile computing devices

(College-owned laptops, tablets, smart phones)

No

Requires authorization and should be rare.

Requires password protection.

 

Requires authorization and should be rare. Requires password protection.

Removable media

(CDs, USB drives)

No

Requires authorization and should be rare.

Requires password protection and encryption.

Requires authorization. Requires password protection and encryption.

Electronic file transfer

No

Requires secure file transfer protocol (SFTP)

Requires secure file transfer protocol (SFTP)

College-provided email

No

Only Name, College ID, and Directory Information are permitted

Only Name, College ID, and Directory Information are permitted

Personal email

No

No

No

Personally managed computer (home computer or personal laptop)

No

No

No

Personal smart phone

No

No

No

 

ROLES AND RESPONSIBILITIES

 

ROLE

RESPONSIBILITY

Chief Information Officer

Responsible for managing the Information Security and Data Protection training and awareness initiative regarding storage and transmission of data.

Associate Dean of Institutional Research

Responsible for assigning data classifications in consultation with senior administrators and data stewards, and for educating administrators and data stewards about access restrictions.

All Managers

Responsible for ensuring that all employees are appropriately trained and understand their roles in adhering to the Information Security and Data Protection Policy.

All College Employees

Encouraged to complete IT security training.  Review and understand all MCC “Information Security Policies and Guidelines”

 

Details

Details

Article ID: 76519
Created
Sat 4/20/19 4:14 PM
Modified
Thu 6/16/22 10:03 AM

Related Articles

Related Articles (1)

Instructions for sending encrypted email messages